RubyGems - solidus_core - Versions diffs - 2.11.16 → 2.11.17 - Mend

solidus_core 2.11.16 → 2.11.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/app/models/spree/log_entry.rb +74 -1
data/lib/spree/app_configuration.rb +16 -0
data/lib/spree/core/engine.rb +6 -0
data/lib/spree/core/version.rb +1 -1
data/lib/spree/testing_support/factories/user_factory.rb +6 -0
data/solidus_core.gemspec +1 -0
metadata +23 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eca3c22f4ee132c33aece457789669a65671005ce5b1c985a142813b699e35b0
-  data.tar.gz: d049f348d8cea36cb7b94a842a44a8ac818e09aa8db7bd1893f97a6217bb8459
+  metadata.gz: 78b3a6c05e492d60c9690e028991c934d4a2aa33788de045110a62b28924bbcb
+  data.tar.gz: 79213862902521b83cfa4dc56c9f6c59bc79cd6c73920145a53b1a67d3cb1eb2
 SHA512:
-  metadata.gz: 96235dffd078546e6319b38e7f582d316a009bcacf45103a8962bb6d7a7e2402bc3c867e5ad29006a461267be4bab536704a8ae2527a0f996a314c2514a01632
-  data.tar.gz: 4955b7cc26bfa9ca9e33023fbba57dc58b91c149971d8676fcc3779bb3852bfcd8ae3daa26091072419bda8a2ad5e16121974edca644ff7385a96f045c6785a4
+  metadata.gz: 18eac571ddd52378a9b186a8f18f8eccb7c0825e9d966926106ccfc07e25792ce0d4081b22175e671638bd1ccf98fd5292328887fa5872075690ddd3c1488fba
+  data.tar.gz: b2c25455b49e633a5b9388d92d2dd6d4bbc22a394f8c8d2eb81deb3e0c04e5fdc8e9a7916f9b4dfe97df2724f0607eb8b3fcaf9542e54e441752efdcf74d91a0

data/app/models/spree/log_entry.rb CHANGED Viewed

@@ -2,10 +2,83 @@
 module Spree
   class LogEntry < Spree::Base
+    # Classes used in core that can be present in serialized details
+    #
+    # Users can add their own classes in
+    # `Spree::Config#log_entry_permitted_classes`.
+    #
+    # @see Spree::AppConfiguration#log_entry_permitted_classes
+    CORE_PERMITTED_CLASSES = [
+      ActiveMerchant::Billing::Response,
+      ActiveSupport::TimeWithZone,
+      Time,
+      ActiveSupport::TimeZone
+    ].freeze
+    # Raised when a disallowed class is tried to be loaded
+    class DisallowedClass < RuntimeError
+      attr_reader :psych_exception
+      def initialize(psych_exception:)
+        @psych_exception = psych_exception
+        super(default_message)
+      end
+      private
+      def default_message
+        <<~MSG
+          #{psych_exception.message}
+          You can specify custom classes to be loaded in config/initializers/spree.rb. E.g:
+          Spree.config do |config|
+            config.log_entry_permitted_classes = ['MyClass']
+          end
+        MSG
+      end
+    end
+    # Raised when YAML contains aliases and they're not enabled
+    class BadAlias < RuntimeError
+      attr_reader :psych_exception
+      def initialize(psych_exception:)
+        @psych_exception = psych_exception
+        super(default_message)
+      end
+      private
+      def default_message
+        <<~MSG
+          #{psych_exception.message}
+          You can explicitly enable aliases in config/initializers/spree.rb. E.g:
+          Spree.config do |config|
+            config.log_entry_allow_aliases = true
+          end
+        MSG
+      end
+    end
+    def self.permitted_classes
+      CORE_PERMITTED_CLASSES + Spree::Config.log_entry_permitted_classes.map(&:constantize)
+    end
     belongs_to :source, polymorphic: true, optional: true
     def parsed_details
-      @details ||= YAML.load(details)
+      @details ||= YAML.safe_load(
+        details,
+        permitted_classes: self.class.permitted_classes,
+        aliases: Spree::Config.log_entry_allow_aliases
+      )
+    rescue Psych::DisallowedClass => e
+      raise DisallowedClass.new(psych_exception: e)
+    rescue Psych::BadAlias => e
+      raise BadAlias.new(psych_exception: e)
     end
   end
 end

data/lib/spree/app_configuration.rb CHANGED Viewed

@@ -188,6 +188,22 @@ module Spree
     #   @return [String] URL of logo used on frontend (default: +'logo/solidus.svg'+)
     preference :logo, :string, default: 'logo/solidus.svg'
+    # @!attribute [rw] log_entry_permitted_classes
+    #   @return [Array<String>] An array of extra classes that are allowed to be
+    #     loaded from a serialized YAML as details in {Spree::LogEntry}
+    #     (defaults to a non-frozen empty array, so that extensions can add
+    #     their own classes).
+    #   @example
+    #     config.log_entry_permitted_classes = ['Date']
+    preference :log_entry_permitted_classes, :array, default: []
+    # @!attribute [rw] log_entry_allow_aliases
+    #   @return [Boolean] Whether YAML aliases are allowed when loading
+    #     serialized data in {Spree::LogEntry}. It defaults to true. Depending
+    #     on the source of your data, you may consider disabling it to prevent
+    #     entity expansion attacks.
+    preference :log_entry_allow_aliases, :boolean, default: true
     # @!attribute [rw] mails_from
     #   @return [String] Email address used as +From:+ field in transactional emails.
     preference :mails_from, :string, default: 'solidus@example.com'

data/lib/spree/core/engine.rb CHANGED Viewed

@@ -15,6 +15,12 @@ module Spree
         generator.test_framework :rspec
       end
+      if ActiveRecord.respond_to?(:yaml_column_permitted_classes) || ActiveRecord::Base.respond_to?(:yaml_column_permitted_classes)
+        config.active_record.yaml_column_permitted_classes ||= []
+        config.active_record.yaml_column_permitted_classes |=
+          [Symbol, BigDecimal, ActiveSupport::HashWithIndifferentAccess]
+      end
       initializer "spree.environment", before: :load_config_initializers do |app|
         app.config.spree = Spree::Config.environment
       end

data/lib/spree/core/version.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 module Spree
-  VERSION = "2.11.16"
+  VERSION = "2.11.17"
   def self.solidus_version
     VERSION

data/lib/spree/testing_support/factories/user_factory.rb CHANGED Viewed

@@ -21,6 +21,12 @@ FactoryBot.define do
       end
     end
+    trait :with_orders do
+      after(:create) do |user, _|
+        create(:order, user: user)
+      end
+    end
     factory :admin_user do
       after(:create) do |user, _|
         admin_role = Spree::Role.find_by(name: 'admin') || create(:role, name: 'admin')

data/solidus_core.gemspec CHANGED Viewed

@@ -41,6 +41,7 @@ Gem::Specification.new do |s|
   s.add_dependency 'monetize', '~> 1.8'
   s.add_dependency 'kt-paperclip', ['>= 4.4.0', '< 7']
   s.add_dependency 'paranoia', '~> 2.4'
+  s.add_dependency 'psych', ['>= 3.1.0', '< 5.0']
   s.add_dependency 'ransack', '~> 2.0'
   s.add_dependency 'state_machines-activerecord', '~> 0.6'

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: solidus_core
 version: !ruby/object:Gem::Version
-  version: 2.11.16
+  version: 2.11.17
 platform: ruby
 authors:
 - Solidus Team
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-06-01 00:00:00.000000000 Z
+date: 2022-07-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionmailer
@@ -364,6 +364,26 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.4'
+- !ruby/object:Gem::Dependency
+  name: psych
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.1.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.1.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.0'
 - !ruby/object:Gem::Dependency
   name: ransack
   requirement: !ruby/object:Gem::Requirement
@@ -992,7 +1012,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.8.23
 requirements: []
-rubygems_version: 3.2.31
+rubygems_version: 3.1.2
 signing_key:
 specification_version: 4
 summary: Essential models, mailers, and classes for the Solidus e-commerce project.